Pass-the-Hash Attack
Last updated
Last updated
Pass-the-Hash (PtH) attacks allow attackers to authenticate with a target system by using stolen NTLM hashes without the need to crack them. Instead of decrypting the hash, the attacker directly uses it to impersonate the legitimate user and gain access to the system.
Once an attacker has retrieved NTLM hashes, they can proceed without cracking them by utilizing tools designed for PtH attacks, such as:
Metasploit PsExec Module: This module allows attackers to execute commands on a remote system using NTLM hashes to authenticate.
Crackmapexec: A versatile tool that can perform lateral movement by leveraging NTLM hashes for authentication and access across the network.
PtH attacks exploit legitimate credentials, allowing access to systems without relying on service vulnerabilities. Even if the target services are patched or firewall rules restrict access, this technique bypasses those defenses by leveraging harvested credentials to authenticate and gain access.
The format for a hashdump
on Windows is typically organized as follows:
This format is commonly seen when extracting password hashes from the Security Account Manager (SAM) database in Windows.